Process Encrypted Data

Using Encryption as a Service allows you to keep sensitive data encrypted at all times: at rest, in transit and in use. Although this is a powerful security enhancement, there will be situations where you’ll need decrypted data in order to perform validation checks, run calculations, or do some other processing.

Evervault Functions lets you process sensitive plaintext data in a secure environment by using serverless functions that are hosted on Evervault’s infrastructure and written in Node.js or Python.

Any encrypted data that is passed to a Function is decrypted by the Function’s runtime. This allows you to perform logic on that data as you normally would — without handling it in plaintext on your infrastructure.

An isometric drawing of a workflow that uses Evervault Functions. An encrypted payload is sent to the Function, the Function's runtime decrypts the payload

Deploy the Function

The easiest way to deploy a Function is via the Evervault Dashboard. Navigate to the Functions tab, click Create Function, Authenticate with GitHub, then deploy the Starter Template in either Node.js or Python. Depending on which language you choose, the following code will be deployed:

Although we’re using a Function Template here, you can deploy any Node.js or Python code to a Function as long as it assumes the same function handler syntax. You’ll notice that the Function runtime passes two arguments to the handler method: data and context. The data argument includes (previously encrypted) data that is decrypted by the Function runtime. The context argument exposes an encrypt method which can be used to encrypt data within the body of a Function.

This Starter Template code expects an encrypted name value, which is decrypted by the Function runtime, before its characters are counted and returned.

Run the Function

Functions can be invoked using our Server-Side SDKs, our CLI or by sending an HTTPS request. To invoke a Function, you’ll need the Function Name, which can be found in the Evervault Dashboard, along with an encrypted payload. Try any of the examples below to run the Function we just created in a language of your choice:

To run a Function using Node.js, first install and initialize the Evervault Node.js SDK in your application using your App ID and API Key. Both credentials can be found in the Evervault Dashboard. Before running the Function, we’re going to encrypt a string using the encrypt method that’s exposed by the object returned from the Evervault constructor.

If you run the Function, the encrypted value for name is decrypted by the Function runtime, allowing the character counting logic to be performed on the plaintext value.

If the Function ran successfully, the following response will be returned. Any payload returned from a Function will be contained within the result key. The response will also include a runId, a unique identifier for this Function’s invocation. Lastly, the appUuid in the response includes the identifier for the Evervault App that this Function belongs to.


Functions are a useful Primitive for processing data that was previously encrypted by Evervault. To learn more about the capabilities and specifications of Functions, check out the Functions Primitive or the Server-Side SDK Reference documentation for your language of choice.